Ghidra

© Elephant Scale

August 23, 2021

Overview

Ghidra, an open-source software reverse engineering (SRE) framework created by the NSA research directorate, enables users to analyze compiled code on any platform, whether Linux, Windows, or macOS. This course is a starting point for developers interested in leveraging Ghidra to create patches and extend tool capabilities to meet their cybersecurity needs.

You’ll begin by installing Ghidra and exploring its features, and gradually learn how to automate reverse engineering tasks using Ghidra plug-ins. You’ll then see how to set up an environment to perform malware analysis using Ghidra and how to use it in the headless mode. As you progress, you’ll use Ghidra scripting to automate the task of identifying vulnerabilities in executable binaries. The course also covers advanced topics such as developing Ghidra plug-ins, developing your own GUI, incorporating new process architectures if needed, and contributing to the Ghidra project.

Learning objectives

  • Develop the skills you need to harness the power of Ghidra
  • Analyze potential vulnerabilities in the code.
  • Point to potential vulnerabilities in the networks.
  • Avoiding potential vulnerabilities in code and networks.
  • Prevent potential vulnerabilities in networks.

Duration

  • 3 days

Audience

  • Security champions
  • Software developers
  • Project managers

Prerequisites

  • Knowledge of Java or Python
  • Experience developing software

Lab environment

  • Local development environment
  • A cloud-based environment can be provided

Course outline

  • Brief introduction to security and malware

  • Getting Started with Ghidra

    • The history of Ghidra
    • Program from the user perspective

  • Automating Tasks with Ghidra Scripts

    • How to use Ghidra scripts to automate reverse engineering tasks
    • Ghidra script development

  • Ghidra Debug Mode

    • Setting up Ghidra development environment
    • Debugging Ghidra
    • Ghidra debug mode vulnerability

  • Using Ghidra Extensions

    • Background for developing Ghidra extensions
    • Installing and using extensions

  • Reversing Malware Using Ghidra

    • How to use Ghidra for malware analysis
    • Reversing a real-world malware sample
    • Scripting for Java and Python
    • The analysis of a shellcode found in the malware sample

  • Using Ghidra Headless Analyzer

    • What is Ghidra Headless Analyzer?
    • Analyze a set of malware samples
    • Acquired samples with an earlier developed script

  • Auditing Program Binaries

    • Finding memory corruption vulnerabilities using Ghidra
    • Exploiting memory corruption
    • How to automate the bug hunting process via scripting
    • How to take advantage of the powerful PCode intermediate representation

  • Developing Ghidra Plugins

    • Ghidra extension development
    • What are the ways to get the most out of the Ghidra features implemented

  • Incorporating New Binary Formats

    • How to write Ghidra extensions to support new binary formats
    • Real-world file format example

  • Analyzing Processor Modules

    • How to write Ghidra processor modules
    • SLEIGH processor specification language

  • Contributing to the Ghidra Community

    • Community interaction using social networks and chats
    • How to contribute with your own development, feedback, bug reports, comments, and so on.

  • Extending Ghidra for Advanced Reverse Engineering

    • Advanced reverse engineering topics and tools
    • SMT solvers
    • Microsoft Z3
    • Static and dynamic symbex,
    • LLVM, and Angr
    • How to incorporate tools with Ghidra.